# AES_Adv_1

In SCA101, we focused only on a single attack location, the SBox, without much explanation or experimentation. In this lab, we'll be trying some other attack locations to better understand why the SBox was used exclusively in SCA101.

## Capture

In [1]:
SCOPETYPE = 'OPENADC'
PLATFORM = 'CWLITEARM'
CRYPTO_TARGET = 'TINYAES128C'

In [2]:
%%bash -s "$PLATFORM" "$CRYPTO_TARGET"
cd ../../hardware/victims/firmware/simpleserial-aes
make PLATFORM=$1 CRYPTO_TARGET=$2

Building for platform CWLITEARM with CRYPTO_TARGET=TINYAES128C
SS_VER set to SS_VER_1_1
Blank crypto options, building for AES128
rm -f -- simpleserial-aes-CWLITEARM.hex
rm -f -- simpleserial-aes-CWLITEARM.eep
rm -f -- simpleserial-aes-CWLITEARM.cof
rm -f -- simpleserial-aes-CWLITEARM.elf
rm -f -- simpleserial-aes-CWLITEARM.map
rm -f -- simpleserial-aes-CWLITEARM.sym
rm -f -- simpleserial-aes-CWLITEARM.lss
rm -f -- objdir/*.o
rm -f -- objdir/*.lst
rm -f -- simpleserial-aes.s simpleserial.s stm32f3_hal.s stm32f3_hal_lowlevel.s stm32f3_sysmem.s aes.s aes-independant.s
rm -f -- simpleserial-aes.d simpleserial.d stm32f3_hal.d stm32f3_hal_lowlevel.d stm32f3_sysmem.d aes.d aes-independant.d
rm -f -- simpleserial-aes.i simpleserial.i stm32f3_hal.i stm32f3_hal_lowlevel.i stm32f3_sysmem.i aes.i aes-independant.i
.
Welcome to another exciting ChipWhisperer target build!!
arm-none-eabi-gcc.exe (GNU Tools for ARM Embedded Processors 6-2017-q1-update) 6.3.1 20170215 (release) [ARM/embedded-6-branch

In [3]:
%run "../Helper_Scripts/Setup_Generic.ipynb"

Serial baud rate = 38400
INFO: Found ChipWhisperer😍


In [4]:
fw_path = '../../hardware/victims/firmware/simpleserial-aes/simpleserial-aes-{}.hex'.format(PLATFORM)
cw.program_target(scope, prog, fw_path)

Serial baud rate = 115200
Detected known STMF32: STM32F302xB(C)/303xB(C)
Extended erase (0x44), this can take ten seconds or more
Attempting to program 5971 bytes at 0x8000000
STM32F Programming flash...
STM32F Reading flash...
Verified flash OK, 5971 bytes
Serial baud rate = 38400


In [5]:
#Capture Traces
from tqdm import tnrange, trange
import numpy as np
import time

ktp = cw.ktp.Basic()

traces = []
N = 200  # Number of traces
project = cw.create_project("AES_Adv_1.cwp")

for i in trange(N, desc='Capturing traces'):
    key, text = ktp.next()  # manual creation of a key, text pair can be substituted here

    trace = cw.capture_trace(scope, target, text, key)
    if trace is None:
        continue
    project.traces.append(trace)

#Convert traces to numpy arrays

Capturing traces: 100%|██████████████████████| 200/200 [00:04<00:00, 40.39it/s]


In [6]:
import chipwhisperer.analyzer as cwa
leak_model = cwa.leakage_models.sbox_output
attack = cwa.cpa(project, leak_model)
import chipwhisperer as cw
cb = cwa.get_jupyter_callback(attack)
results = attack.run(cb, 10)

Unnamed: 0,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
PGE=,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
0,2B 0.819,7E 0.833,15 0.779,16 0.834,28 0.828,AE 0.844,D2 0.808,A6 0.796,AB 0.855,F7 0.831,15 0.814,88 0.816,09 0.787,CF 0.807,4F 0.825,3C 0.815
1,28 0.327,55 0.366,A3 0.350,82 0.352,5C 0.349,4B 0.345,E0 0.390,93 0.391,72 0.333,21 0.337,FF 0.335,39 0.372,57 0.332,F9 0.323,07 0.358,F4 0.350
2,AE 0.319,7C 0.319,01 0.348,45 0.330,D5 0.330,FB 0.327,3C 0.318,3D 0.355,8B 0.329,55 0.334,91 0.334,AF 0.331,AF 0.316,B2 0.321,65 0.332,97 0.334
3,CF 0.307,25 0.315,7B 0.327,40 0.328,8E 0.307,E5 0.324,9A 0.316,83 0.336,3D 0.321,AC 0.311,20 0.334,F5 0.329,44 0.314,FF 0.320,FD 0.321,5B 0.306
4,14 0.307,C0 0.312,87 0.322,46 0.328,A6 0.306,EF 0.323,75 0.306,E8 0.336,63 0.314,34 0.310,2E 0.327,AD 0.328,68 0.306,05 0.311,F9 0.319,89 0.306


In [7]:
print(results.key_guess())

[43, 126, 21, 22, 40, 174, 210, 166, 171, 247, 21, 136, 9, 207, 79, 60]


In [9]:
leak_model.key_schedule_rounds(results.key_guess(), 0, 10)

[208, 20, 249, 168, 201, 238, 37, 137, 225, 63, 12, 200, 182, 99, 12, 166]

In [7]:
plot_data = cwa.analyzer_plots(results)
def byte_to_color(idx):
    return hv.Palette.colormaps['Category20'](idx/16.0)

import holoviews as hv
from holoviews.operation.datashader import datashade, shade, dynspread, rasterize
from holoviews.operation import decimate
import pandas as pd, numpy as np

a = []
b = []
hv.extension('bokeh')
for i in range(0, 16):
    data = plot_data.output_vs_time(i)
    a.append(np.array(data[1]))
    b.append(np.array(data[2]))
    b.append(np.array(data[3]))
    
pda = pd.DataFrame(a).transpose().rename(str, axis='columns')
pdb = pd.DataFrame(b).transpose().rename(str, axis='columns')
curve = hv.Curve(pdb['0'], "Sample").options(color='black')
for i in range(1, 16):
    curve *= hv.Curve(pdb[str(i)]).options(color='black')
    
for i in range(0, 16):
    curve *= hv.Curve(pda[str(i)]).options(color=byte_to_color(i))
decimate(curve.opts(width=900, height=600))

  import pandas.util.testing as tm
  from pandas.core.index import CategoricalIndex, RangeIndex, Index, MultiIndex
  class Image(xr.DataArray):


ERROR:root:Internal Python error in the inspect module.
Below is the traceback from this internal error.


KeyboardInterrupt



In [None]:
import chipwhisperer.analyzer as cwa
leak_model = cwa.leakage_models.sbox_output
attack = cwa.cpa(project, leak_model)
import chipwhisperer as cw
cb = cwa.get_jupyter_callback(attack)
results = attack.run(cb, 10)

In [24]:
leak_model = cwa.leakage_models.plaintext_key_xor

In [26]:
print(cwa.leakage_models)

after_key_mix:
  After key mix operation.

inverse_sbox_output:
  Inverse Sbox output.

last_round_state:
  Last round state.

last_round_state_diff:
  Last round state using hamming distance.

last_round_state_diff_alternate:
  Last round state using hamming distance, alternate.

mix_columns_output:
  Output of the mix columns operation.

plaintext_key_xor:
  Plain text key XOR.

round_1_2_state_diff_key_mix:
  Hamming distance between round 1 and 2 state during key mix
  operation.

round_1_2_state_diff_sbox:
  Hamming distance between round 1 and 2 state during sbox lookup
  operation.

round_1_2_state_diff_text:
  Hamming distance between round 1 and 2 state using plain text.

sbox_in_out_diff:
  Hamming distance between SBox input and output.

sbox_input_successive:
  Successive Sbox input.

sbox_output:
  SBox Output.

sbox_output_successive:
  Successive SBox output.

shift_columns_output:
  Output of the shift columns operation.


In [25]:
attack = cwa.cpa(project, leak_model)
import chipwhisperer as cw
cb = cwa.get_jupyter_callback(attack)
results = attack.run(cb, 10)

Unnamed: 0,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
PGE=,1,1,1,1,1,0,0,0,0,0,1,0,1,0,1,1
0,D4 0.846,81 0.875,EA 0.919,E9 0.915,D7 0.898,AE 0.876,D2 0.891,A6 0.906,AB 0.806,F7 0.825,EA 0.909,88 0.902,F6 0.907,CF 0.875,B0 0.883,C3 0.853
1,2B 0.846,7E 0.875,15 0.919,16 0.915,28 0.898,51 0.876,2D 0.891,59 0.906,54 0.806,08 0.825,15 0.909,77 0.902,09 0.907,30 0.875,4F 0.883,3C 0.853
2,C0 0.787,85 0.746,EE 0.762,EB 0.781,DF 0.773,AF 0.772,C2 0.797,D9 0.799,AF 0.765,F3 0.772,FC 0.744,F7 0.746,F7 0.768,C7 0.738,B8 0.737,CB 0.741
3,3F 0.787,7A 0.746,11 0.762,14 0.781,20 0.773,50 0.772,3D 0.797,26 0.799,50 0.765,0C 0.772,03 0.744,08 0.746,08 0.768,38 0.738,47 0.737,34 0.741
4,D0 0.724,83 0.719,FA 0.759,F9 0.731,C7 0.742,BF 0.760,D0 0.758,A4 0.784,D4 0.710,88 0.676,EE 0.719,80 0.738,FE 0.744,CB 0.736,B4 0.728,C7 0.710


At first glance, our attack appears to have partially failed, recovering roughly half the key bytes. This isn't quite true: we've got two equal key guesses for each byte. Remember back to the "recovering data from a single bit" slides: the correct key and its inverse will produce inverted results. This means that they're both have the same correlation with the power trace, just that one is negative and one is positive.

So we have two possible guesses for each key. Is this enough to stop us from recovering the key? In this case, it's pretty easy to brute force the correct key. In an actual attack, we might not know the ciphertext, making it much harder to bruteforce the key.

The XOR operation is also linear, meaning incorrect key guesses have higher correlations than they would with a non-linear operation like the SBox. If we didn't have as nice of a measurement environment, this might make the difference between being able to tell we've got the key and not.

In [17]:
plot_data = cwa.analyzer_plots(results)
def byte_to_color(idx):
    return hv.Palette.colormaps['Category20'](idx/16.0)

import holoviews as hv
from holoviews.operation.datashader import datashade, shade, dynspread, rasterize
from holoviews.operation import decimate
import pandas as pd, numpy as np

a = []
b = []
hv.extension('bokeh')
for i in range(0, 16):
    data = plot_data.output_vs_time(i)
    a.append(np.array(data[1]))
    b.append(np.array(data[2]))
    b.append(np.array(data[3]))
    
pda = pd.DataFrame(a).transpose().rename(str, axis='columns')
pdb = pd.DataFrame(b).transpose().rename(str, axis='columns')
curve = hv.Curve(pdb['0'], "Sample").options(color='black')
for i in range(1, 16):
    curve *= hv.Curve(pdb[str(i)]).options(color='black')
    
for i in range(0, 16):
    curve *= hv.Curve(pda[str(i)]).options(color=byte_to_color(i))
decimate(curve.opts(width=900, height=600))

In [23]:
import chipwhisperer.analyzer as cwa
leak_model = cwa.leakage_models.new_model(ShiftRowsOutput)
attack = cwa.cpa(project, leak_model)
import chipwhisperer as cw
cb = cwa.get_jupyter_callback(attack)
results = attack.run(cb, 10)

Unnamed: 0,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
PGE=,0,159,0,213,0,139,240,146,0,125,0,79,0,29,131,50
0,2B 0.876,AE 0.825,15 0.840,3C 0.839,28 0.905,F7 0.875,4F 0.863,16 0.844,AB 0.867,CF 0.842,15 0.852,A6 0.826,09 0.884,7E 0.837,D2 0.857,88 0.857
1,14 0.373,20 0.354,58 0.367,00 0.350,3F 0.329,5D 0.324,00 0.340,6D 0.383,4F 0.359,BF 0.390,86 0.352,53 0.345,FC 0.393,39 0.362,51 0.352,31 0.349
2,E2 0.360,7D 0.350,11 0.352,D3 0.328,83 0.326,11 0.321,3C 0.339,8A 0.358,68 0.343,F0 0.326,FC 0.348,27 0.335,E5 0.351,7D 0.356,75 0.331,11 0.346
3,17 0.334,81 0.349,CE 0.350,3E 0.328,5B 0.326,9F 0.311,DF 0.338,72 0.354,27 0.340,73 0.325,F1 0.339,BD 0.322,A0 0.330,25 0.343,81 0.325,7C 0.346
4,18 0.333,13 0.329,64 0.336,EB 0.322,CC 0.323,5E 0.306,38 0.332,D5 0.336,5E 0.333,25 0.323,85 0.339,0E 0.321,FB 0.327,42 0.338,3E 0.323,35 0.330


For the shift rows output, we can see that the attack has again failed. This time, it's much worse: we've recovered only 4 bytes. All the rest have completely failed! You might've noticed something odd about the bytes that failed: every key guess has exactly the same correlation! To understand this, we'll need to look at what the shift rows instruction actuall does. As the name suggests, it shifts the rows of the AES state around, more specifically, it turns the following matrix:

$$
state = \left( \begin{array}
& S0 & S4 & S8 & S12 \\
S1 & S5 & S9 & S13 \\
S2 & S6 & S10 & S14 \\
S3 & S7 & S11 & S15
\end{array} \right)
$$

into this one:

$$
state = \left( \begin{array}
& S0 & S4 & S8 & S12 \\
S5 & S9 & S13 & S1 \\
S10 & S14 & S2 & S6 \\
S15 & S3 & S7 & S11
\end{array} \right)
$$

Except for the top row, for which our guess succeeded, the bytes don't align anymore. This isn't technically a difference that should affect anything in our attack. Analyzer, however, only considers one byte key guess at a time and assumes that all the others are zero. This means the leakage was always calculated for a key byte of 0. We could fix this in the leakage model, but really there's no reason to: shift rows is just moving values around, it's not changing anything. This means we don't really learn anything new as compared to the SBox output, at least for a software AES attack.

A similar problem affects the next operation in AES, mix columns. It however, can't be fixed with a simple leakage model change. The mix columns operation provides **diffusion**, which means that multiple bytes are combined together (4 per column). Suddenly, we can't guess each key byte individually, we need to guess them as groups of 4. Suddenly, our attack has went from a search space of $16*2^8=4096$ to $4*2^{32}=17179869184$, which would take more time to break than you're probably willing to put into a lab.

In [30]:
import chipwhisperer.analyzer as cwa
leak_model = cwa.leakage_models.mix_columns_output
attack = cwa.cpa(project, leak_model)
import chipwhisperer as cw
cb = cwa.get_jupyter_callback(attack)
results = attack.run(cb, 10)

Unnamed: 0,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
PGE=,0,129,234,233,0,81,45,89,0,8,234,119,0,48,176,195
0,2B 0.859,FF 0.855,FF 0.871,FF 0.923,28 0.830,FF 0.863,FF 0.826,FF 0.922,AB 0.852,FF 0.851,FF 0.828,FF 0.906,09 0.843,FF 0.848,FF 0.842,FF 0.907
1,43 0.323,FE 0.855,FE 0.871,FE 0.923,21 0.334,FE 0.863,FE 0.826,FE 0.922,27 0.323,FE 0.851,FE 0.828,FE 0.906,20 0.338,FE 0.848,FE 0.842,FE 0.907
2,70 0.316,FD 0.855,FD 0.871,FD 0.923,66 0.330,FD 0.863,FD 0.826,FD 0.922,5A 0.316,FD 0.851,FD 0.828,FD 0.906,F2 0.332,FD 0.848,FD 0.842,FD 0.907
3,74 0.313,FC 0.855,FC 0.871,FC 0.923,E6 0.326,FC 0.863,FC 0.826,FC 0.922,9E 0.314,FC 0.851,FC 0.828,FC 0.906,FB 0.328,FC 0.848,FC 0.842,FC 0.907
4,BD 0.311,FB 0.855,FB 0.871,FB 0.923,64 0.323,FB 0.863,FB 0.826,FB 0.922,F3 0.305,FB 0.851,FB 0.828,FB 0.906,FE 0.327,FB 0.848,FB 0.842,FB 0.907


## Attacking from the other end

As we've seen, there's not much point to advancing past the SBox for our software AES attack. What about attacking from the other end? While the other leakage models didn't really any advantages over the SBox output for a software AES attack, there's actually a big reason why we'd like to try an attack from the other end of AES - we'd be able to use the ciphertext instead of the plaintext. While we know both the plaintext and ciphertext for our lab examples, this might not always be the case. For example, what if the target was encrypting messages and sending them to another device? We could monitor the communication lines to learn the ciphertext, but learning the plaintext isn't quite as simple.

Looking at a block diagram of AES, we can see that the last block is actually different from the rest of the blocks:

![](images/AES_Encryption.png)

The first thing to notice is that there's no MixColumns operation for the last round. Considering how much that operation increases our search space, that's a welcome thing to see! In fact, we can basically repeat our attack from the other plaintext side here, we just need to account for ShiftRows. ChipWhisperer again has a leakage model for this built in. How does it account for ShiftRows? If we take a look at the source for the model:

```python
class LastroundHW(AESLeakageHelper):
    name = 'HW: AES Last-Round State'
    def leakage(self, pt, ct, key, bnum):
        # HD Leakage of AES State between 9th and 10th Round
        # Used to break SASEBO-GII / SAKURA-G
        st10 = ct[self.INVSHIFT_undo[bnum]]
        st9 = inv_sbox(ct[bnum] ^ key[bnum])
        return st9

    def process_known_key(self, inpkey):
        return key_schedule_rounds(inpkey, 0, 10)
```

we can see it just shifts the ciphertext to line up with the correct key. Let's see if we can get this model to work. Capture some traces near the end of the AES operation (remember we're attacking at the last round),

and we can repeat the attack with the new leakage model:

In [None]:
import chipwhisperer.analyzer as cwa
leak_model = cwa.leakage_models.last_round_state
attack = cwa.cpa(project, leak_model)
import chipwhisperer as cw
cb = cwa.get_jupyter_callback(attack)
results = attack.run(cb, 10)

You should see that the attack is really confident about a key, but it doesn't seem to be the right one. The block diagram shown above doesn't tell the whole story. The AddRoundKey operation doesn't keep adding the same key. Instead, a transformation is applied to the key for each round and that is added to the state instead. The leakage model includes a method called `key_schedule_rounds()` that we can use to transform our last round key into the first round key that we would recover normally:

In [None]:
input_key = leak_model.key_schedule_rounds(results.key_guess(), 10, 0)